Skip Menu |

Subject: git commit
Download (untitled) / with headers
text/plain 1.1KiB

Fix some principal realm canonicalization cases

The no_hostrealm and subst_defrealm flags in struct canonprinc were
only applied when dns_canonicalize_hostname=fallback; in the other
cases, the initial krb5_sname_to_principal() result is treated as
canonical. For no_hostrealm this limitation doesn't currently matter,
because all uses pass a principal with no realm as input. However,
subst_defrealm is used to convert the referral realm to the default
realm in krb5_get_init_creds_keytab(), krb5_cc_cache_match(), and
gss_acquire_cred() when it needs to check the desired name against a
specified ccache.

In k5_canonprinc(), if the input principal is a
krb5_sname_to_principal() result and fallback isn't in effect, apply
subst_defrealm. Document in os-proto.h that no_hostrealm doesn't
remove an existing realm and that krb5_sname_to_principal() may
already have looked one up.
Author: Greg Hudson <>
Commit: c077d0c6430c4ac163443aacc03d14d206a4cbb8
Branch: master
src/lib/krb5/os/os-proto.h | 13 +++++++++----
src/lib/krb5/os/sn2princ.c | 24 +++++++++++++++++++++---
2 files changed, 30 insertions(+), 7 deletions(-)